0
Back to scan results
Check 11 of 24

Exposed Management Interfaces

Server control panels and database GUIs are designed for admin convenience, not internet-facing exposure. We probe for the well-known URLs and ports of the popular ones; finding any of them open to the public is a serious finding.

What this check probes

  • Database admin — /phpmyadmin/, /pma/, /myadmin/, /sqlbuddy/, /adminer.php, /dbadmin/.
  • Hosting control panels — https://yoursite:2082 (cPanel), :2083 (cPanel SSL), :2086/:2087 (WHM), :8443 (Plesk), :10000 (Webmin), :2222 (DirectAdmin).
  • Webmail — /webmail/, /roundcube/, /squirrelmail/, /horde/.
  • Application admin — /manager/html (Tomcat), /jenkins/, /grafana/, /kibana/, /rabbitmq/, /airflow/.
  • CMS admin — covered separately in Check 20 (admin panel discovery).

For each URL we look at the response status and headers to determine whether the panel is actually present (vs. just a 404 from the main app).

Why this matters for PCI DSS

Management interfaces are catastrophic when compromised — phpMyAdmin gives full database access; Tomcat manager allows war-file upload (instant remote code execution); cPanel/Plesk own the entire server. Default credentials, weak passwords, and unpatched RCEs are routinely scanned for at internet scale.

PCI DSS 4.0 Requirement 2.2.7 requires that all non-console administrative access uses strong cryptography. Requirement 7.2 requires access control on a need-to-know basis. Requirement 8.4.2 requires multi-factor authentication for all administrative access.

An admin panel exposed to the entire internet — even if it has a login form — fails the spirit of all three.

How to fix it

In order of preference:

  1. Remove it — if you don't actively use phpMyAdmin or the Tomcat manager, uninstall it. The most secure software is the software that isn't installed.
  2. Bind to localhost + SSH tunnel — change phpMyAdmin's listen address to 127.0.0.1, and admins reach it via ssh -L 8080:localhost:80 user@server.
  3. VPN-only access — put the management network behind a VPN (WireGuard, Tailscale, OpenVPN). The panel still listens publicly on the VPN interface, but the public internet sees nothing.
  4. IP allow-list — at the firewall or web server, restrict the URL/port to specific source IPs (your office, admin home IPs).

nginx IP allow-list example:

location /phpmyadmin/ {
    allow 203.0.113.10;          # office
    allow 198.51.100.42;         # admin home
    deny all;
    proxy_pass http://127.0.0.1:8080/phpmyadmin/;
}

If you must leave it public, at minimum:

  • Rename the URL (/_admin_42/) — security through obscurity, but reduces drive-by scanner hits.
  • Add HTTP Basic Auth in front of the application's own login.
  • Enforce MFA inside the app where supported (cPanel, Plesk, Jenkins all support TOTP).
  • Patch aggressively — these panels are CVE magnets.

Fixed it? Re-run the scan to confirm.

Run scan again